[Snort-users] dual nic, was: flex response and cisco span por ts
Burleson, Lee (IA)
Lee.Burleson at ...1358...
Wed Jan 2 16:08:04 EST 2002
Try unbinding TCP/IP from the non-admin interface(s). You will need the
latest version of WinPCap to do this. I have this running successfully in
my environment on several sensors now.
Big smiles to those guys in Italy for that improvement.
> -----Original Message-----
> From: Byron [mailto:snail945 at ...131...]
> Sent: Wednesday, January 02, 2002 14:13
> To: John Roberds
> Cc: snort-users at lists.sourceforge.net; tyler at ...4440...
> Subject: Re: [Snort-users] dual nic, was: flex response and cisco span
> I'm using a dial nic setup as mentioned a few times in this
> thread. I also
> have had issues where packets tried to leave off of the snort
> interface when
> i only want them to be routed out the administrative nic on a
> separate vlan
> as defined by the cisco 6509. Usually this only happened if the admin
> interfaces went down for some reason.
> On windows 2000, how can i allow snort to listen on one nic
> and not have an
> ip assigned to this nic? I'd like to avoid having a second
> default gateway
> in the local routing table. I only want a default gateway
> route for the
> administrative LAN.
> ----- Original Message -----
> From: "John Roberds" <roberdsj at ...4446...>
> Cc: <snort-users at lists.sourceforge.net>; <tyler at ...4440...>
> Sent: Wednesday, January 02, 2002 10:42 AM
> Subject: Re: [Snort-users] flex response and cisco span ports
> > tf,
> > The Cisco switches Steve mentions here are both IOS based
> > switches that by default permit the type of rx/tx on the
> > port by default. My guess is that you may be using a CLI
> ("set") based
> > switch like the 4K,5K,& 6K family. I would try the
> additional parameters
> > inpkts enable on the span setup. e.g.
> > 6506(enable)# set span 4/40 4/41 both inpkts enable
> > This should do what you want for the single interface
> solution. However,
> > I like the two interface concept to facilitate an
> independent enterprise
> > wide vlan to collect data.
> > Good luck,
> > JR
> > Graeme Fowler wrote:
> > >
> > > tf wrote:
> > >
> > > > When snort has to respond [ie, send RST packets] I assume it
> > > > sends them out the interface it is listening on?
> > > > How does this work when monitoring a cisco switched network?
> > > > Once I make a port a monitor port, it is read-only and nothing
> > > > can be sent out on it, so what I've done in the past is put 2
> > > > interfaces on my snort sensors. One is a listener, the other
> > > > is the "management" port that I ssh to, etc, etc.
> > >
> > > In my experience, this is wrong on both counts. I have
> successfully used
> > > real live machines (both by accident *and* by design;
> long story) with
> > > live IP addresses plugged into a Cisco SPAN (port mirror,
> > > it what you will) port on Catalyst 2924XL and 3524/3548XL
> switches. It
> > > make emergency oh-my-god-everything-broke situations a little more
> > > if you can sniff *and* make external connections thru the
> same NIC,
> > > especially when you have a laptop with a single
> interface... and you
> need to
> > > just dig that MAC address out of that remote database
> which is not on
> > > laptop!
> > >
> > > > So I guess my question is this.. Can I make the sensor send it's
> > > > flex-response packets out the 'mgmt' port instead? Surely
> > > > there are other people with an environment like this [snort,
> > > > cisco catalyst switches, flex-response] .. What's everyone else
> > > > doing?
> > >
> > > As far as I'm aware, snort chucks its' flexresp packets
> out via *the
> > > gateway* therefore it spits them out thru whatever interface your
> > > route points at.
> > >
> > > YMMV obviously, but as far back as the initial implementations of
> > > snort didn't do anything too fancy, just generated the packets and
> > > them on the IP stack for the kernel to handle as it
> pleased. I'm not too
> > > proud to stand corrected, mind you!
> > >
> > > Graeme
> > > --
> > > Graeme Fowler
> > > System Administrator
> > > Host Europe Group PLC
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users